Publication date: November 13, 2024
by Łukasz Ruman, KIELTYKA GLADKOWSKI KG LEGAL
In today’s world, conducting financial activities electronically is becoming increasingly popular. Banks are focusing on conducting their activities via the Internet and electronic payments. Companies that conduct their accounting remotely and freely make payments using intangible money do the same.
Technical and IT support for such a large financial industry requires specialized entities. For this purpose, numerous companies have been established that are called “fintech”. The abbreviation comes from the English phrase financial technology. It is used to collectively name programs used to handle finances electronically, but also companies involved in the production and maintenance of such programs.
The activity of fintechs is very broad and is not limited to one category. It will include applications that help manage the household budget, applications for maintaining bank accounts, online currency exchange, applications for investing in the stock market or tax calculation programs. This catalog is open, and new solutions on the fintech market depend only and exclusively on the ingenuity of their creators.
An interesting example of fintech’s prowess is cross-border payment transactions. In today’s globalized world, running a business is no longer limited to operating within the borders of one country. Many companies offer their services in many countries at once. It has also become common to import some products from abroad. In many industries, serving foreign customers is a daily occurrence. All this generates demand for a service that deals with handling cross-border transactions.
This service should primarily focus on enabling customers to easily send and receive money from different countries. In practice, this will also involve the requirement to convert the customer’s funds. In addition, this service will have to focus on enabling the customer to be served by a foreign bank. Online payments are made through banks, so without contact with them it is not possible to conduct electronic finances.
In some countries, there may be formal requirements for foreigners that may be burdensome for an ordinary entrepreneur. An external entity that deals with such payments professionally will be able to fulfill these agreements faster and easier. This makes doing business much easier. It is no wonder that there is such a high demand for such activities.
However, it should be noted that a company providing such services will have to obtain a lot of sensitive data from the client. This creates a risk that it may leak, be stolen or be misused.
This industry is even more vulnerable to danger because banking services involve the most sensitive data. It is the easiest to gain access to someone’s account, impersonate someone or extort money from them.
To prevent this, there are a number of requirements and legal rules that fintech must meet in order to be able to conduct such activity. Their task is to provide customers with the greatest possible protection and guarantee the security of their data. Such a high level of requirements also has a positive impact on the market, because entrepreneurs are not afraid that as a result of conducting online payments, they could be exposed to danger.
Fintech is not a legal term. There is no separate act codifying the establishment and operation of such a company. It is a purely practical concept that collectively defines industries conducting financial activities via the Internet and technology. Therefore, in many cases, when looking for appropriate legal regulations, one should refer to general regulations
Payment services are strongly regulated in Polish law. In the modern market economy system, it is de facto one of its most important elements. The security of transactions between entities depends on it. They ensure the possibility of the market functioning in the form it is. The activities of fintechs dealing with payment transactions, including cross-border ones, will fall within this scope.
The main source of law in this area is the Act of 19 August 2011 on payment services (Journal of Laws of 2024, item 30, as amended). Its subject matter scope is defined in art. 3 of this act. Payment services are understood broadly and concern many different activities. First of all, it is the handling and maintenance of a payment account, but also the execution of payment transactions, both concerning cash and electronic money. An important element of payment services is the so-called payment order. It means a payment service consisting in debiting a specific amount from the payer’s payment account as a result of a payment transaction initiated by the recipient, carried out on the basis of the consent that the payer has granted to the recipient, the recipient’s supplier or the payer’s supplier. Other examples of payment services are money transfer services and transfer orders.
According to the regulations of the act, only selected entities may provide payment services. The entity that has the right to do so is called a “payment service provider“. Only selected types of entities may be a provider. In the old approach to the market, this designation was primarily reserved for banks. However, there is a tendency in Polish and EU law to liberalize this system and allow other smaller private entities to provide these services. A set of entities that may be providers is included in Article 4 of the indicated Act, thus limiting the monopoly of banks. These are:
The question is how in practice they can translate into regulations on the operation of fintechs. Namely, in order for a fintech to conduct payment activity via electronic money, it must be recognized as one of these entities. This will mean obtaining the status of a payment institution or an electronic money institution. In both cases, the appropriate permit must be obtained first. Acting as another entity from this list in the case of a fintech would be impossible or defeats the purpose of a fintech.
The Act defines a payment institution as a legal person that has obtained a permit to conduct business as a payment institution. The regulations on it are specified in art. 60 et seq. of the Act. According to them, a permit to conduct business is issued by the The Polish Financial Supervision Authority (Polish: KNF). The Act specifies in art. 61 what should be attached to the application and in art. 64 the financial requirements that the entity must meet. A payment institution is subject to entry in the register of providers and issuers of electronic money.
The activity of a payment institution will depend on its initial capital. This is specified in art. 64 sec. 1 item 1. Depending on its amount, it will be able to perform more or fewer payment activities. In the case of a small capital, it will only be able to provide money transfer services (EUR 20,000) or payment transaction initiation services (EUR 50,000 capital). If it meets the upper limit of EUR 125,000 of initial capital, it can provide all payment services.
The Act defines electronic money institutions as legal persons that have obtained a permit to conduct business as electronic money institutions. This permit is also issued by the Polish Financial Supervision Authority (PFSA) and the provisions on permits to conduct business as payment institutions apply accordingly to the application for a permit. An electronic money institution is codified by art. 132a et seq. of the Act on Electronic Money. It is subject to entry in the register of electronic money providers and issuers.
An electronic money institution must have a founding capital of at least EUR 350,000. It can freely perform payment services. In addition, it can issue electronic money. It is worth noting that in this respect, an electronic money institution is superior to a payment institution. It can also issue electronic money, but it must first obtain separate consent and its issuance is subject to certain restrictions, e.g. it can only issue it in the territory of the Republic of Poland. In this case, an electronic money institution has much greater freedom.
There are also two other interesting entities that can provide payment services. The first is a small payment institution. It is similar to a regular payment institution. The main difference between them is that a small payment institution cannot provide the service of initiating a payment transaction and providing the service of access to account information, so the range of payment services it can perform is limited compared to a regular payment institution. In addition, the average total amount of payment transactions of a small payment institution from the previous 12 months cannot exceed EUR 1,500,000 per month. This is another limitation that does not allow a small payment institution to fully develop.
The second is a payment services office. According to the act, they can only provide money transfer services. In turn, their average total payment transactions from the previous 12 months cannot exceed EUR 500,000 per month. These are even more far-reaching restrictions, which mean that a payment services office will de facto apply only to one type of service and even then on a limited scale. It is therefore a very specialist entity and if fintech does not want to limit itself to just one field, it should not become an office. Both a small payment institution and a payment services office are subject to entry in the register of providers and issuers of electronic money.
Private entrepreneurs, e.g. fintechs wanting to provide payment services, should obtain the status of one or the other institution. In the case of other entities from art. 4 that can provide payment services, the fintech cannot obtain their status (bank, administrative body, etc.) or they have limitations on what they can do with providing payment services (small payment institution, payment services office). The best choice is therefore a payment institution and an electronic money institution. They give the fintech the greatest freedom. However, to obtain the status of an electronic money institution, much more funds must be contributed, but in return it gives the company the ability to issue electronic money. Therefore, the choice of the fintech path depends on what services it would like to provide.
As for cross-border activity, the Act allows both institutions to conduct it. In the case of a payment institution, this permission is contained in Article 91 of the Payment Services Act, and in the case of an electronic money institution in Article 132x of the Payment Services Act. In both cases, however, both institutions must notify the PFSA in advance. They submit a special application, the requirements of which are specified in the Act (Article 92 of the Payment Services Act in the case of a payment institution, while an electronic money institution refers to the appropriate application of the same provisions in Article 132x section 2 of the Payment Services Act) and if the PFSA accepts the application, it will make an appropriate entry of the institution in the register of electronic money providers and issuers.
On the other hand, in accordance with Article 96 of the Payment Services Act, a payment institution from another Member State may perform payment services in the territory of the Republic of Poland through its branch or agent.
According to these principles, there are no major obstacles to conducting cross-border transactions, whether the institution is of Polish origin or from another Member State. This is dictated by the requirements of the modern market, which is based on the global exchange of payments.
Another group of requirements that fintechs dealing with cross-border payments must meet is consumer protection. This is a similar situation to banking contracts. Fintech is an entity that professionally deals with shelling out such transactions. It is therefore in a stronger negotiating position and can impose unfair practices on its customers. On the other hand, the consumer is much weaker and will often be forced to be served by such companies. In order to ensure the security of trade, the legislator has established a number of standards that are intended to protect consumers who are in a weaker position. Although these are very general provisions and do not apply only to fintechs, one cannot forget about their existence. They are primarily used when concluding a contract between a company and a customer in an area with which the customer is not directly related economically or professionally.
At the very beginning, it is worth resolving one more doubt. Why are companies using fintech services subject to consumer protection, since they are businesses on a daily basis? It must be remembered that the definition of a consumer and an entrepreneur are very open and their application will always depend on the type of contract concluded by the parties. It should therefore be borne in mind that this division is made in concreto in a given situation. Only when assessing a given obligation relationship do we assess which of the parties acted within the scope of their business activity and which did not. It may therefore happen that an entity that is an entrepreneur on a daily basis will act as a consumer in a contract with a fintech. In such a case, it is most certainly entitled to protection.
In the Polish legal system, the main provisions on consumer protection rights are found in the Act of 23 April 1964 – the Civil Code (consolidated text: Journal of Laws of 2024, item 1061, as amended) and the Act of 30 May 2014 on consumer rights (consolidated text: Journal of Laws of 2023, item 2759, as amended). However, it should be noted that, in accordance with Art. 4 of the Consumer Rights Act, as a rule, the Act does not apply to contracts for financial services, including payment services. The exception here are contracts concluded remotely or outside the entrepreneur’s premises. Due to its nature, Fintech will require customer registration via the Internet, and therefore it will be subject to the regulation of concluding contracts remotely.
The provisions of the Civil Code will primarily be used to control the standard form of the contract. Fintech, when presenting the client with the contract or the regulations of their website, will have to meet the appropriate requirements. The key here will be Article 384 §4 of the Civil Code, which specifies that if Fintech uses an electronic contract or regulations (and judging by the nature of this company, it will), it must make it available to the client before concluding the contract in such a way that it can be stored and opened in the ordinary course of business. It is therefore not permissible to present it only after concluding the contract. Therefore, if the payment service is subject to a tariff, the client must be informed of its amount in advance.
In addition, most websites and applications operate under regulations. In the constantly changing situation of the company, there may be a need to change these regulations. However, such a change is also subject to the same regulation. This means that the customer must be informed of the change and sent new regulations. There can be no situation where the customer is not aware of the change or that the entrepreneur has stipulated that the customer accepts it automatically. In addition, the regulations should include modification clauses.
In addition, the regulations and the agreement cannot contain any prohibited clauses, i.e. those that flagrantly violate the law and the customer’s interest in a manner contrary to good practice. Such clauses of the agreement will not bind the consumer.
Chapter 5 of the Consumer Protection Act contains detailed provisions regarding a financial agreement between an entrepreneur and a consumer concluded at a distance, and therefore also via the Internet, as in the case of fintechs. First of all, they specify the information that the fintech must provide to the customer before concluding the agreement or signing the regulations. Failure to comply with this obligation results in the consumer having the right to withdraw from the agreement. However, in accordance with art. 43 sec. 3 in the case of payment services, these requirements are limited.
Financial institutions, banks and payment institutions are particularly vulnerable to hacker attacks and attempts to take over personal data. These institutions have a rich database of their clients’ personal data, e.g. Personal Identification Number (PESEL number), addresses, telephone numbers, signatures. This data is particularly sensitive because it can allow unwanted people to impersonate someone, extort money or even steal money from an account. Practice shows that most cyberattacks are carried out on such institutions. Therefore, EU and national law has developed a number of requirements that fintech conducting payment services must meet. This is to ensure data protection and increase security against cyberattacks.
When it comes to the regulation protecting personal data, the key importance is given to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU. L. of 2016, No. 119, p. 1, as amended), commonly known as GDPR.
The basic principles of data processing are:
Often, an individual will be required to consent to the preservation of their personal data.
The entity collecting the data must inform the person from whom the data originates in a concise, transparent, understandable and easily accessible manner. It should facilitate the exercise of their rights, not hinder them.
The data subject has the right to request immediate rectification of personal data concerning them that are incorrect. In addition, the person may also request that their data be supplemented. There is also the so-called right to be forgotten. This means that the data subject may request that they be deleted from the system in certain situations, primarily when the personal data are no longer necessary for the purposes for which they were collected or otherwise processed. The person may also request that the processing of their data be restricted. They may also object at any time to the processing of their data in an inappropriate manner.
Fintech, as a controller of personal data, has special obligations. First of all, it is responsible for implementing a data protection policy and ensuring that all requirements resulting from the directive are met. Data protection should be taken into account in terms of technical knowledge. Fintech is required to keep a register of data processing activities. It must also cooperate with the supervisory authority.
Fintech, taking into account technical knowledge and costs, is tasked with ensuring an appropriate level of security and minimizing the risk of data leakage. If a data breach occurs, the fintech should immediately report it to the supervisory authority. In addition, it should also notify the person whose data was breached.
Fintech can obtain a certificate from a designated entity that it has adequate knowledge of data protection. The certificate is valid throughout the EU.
In the case of payment services, there is also a risk that the system will be used for money laundering or other activities that violate the law. In order to counteract this threat, states impose additional obligations on some institutions, failure to comply with which may result in administrative penalties. This will also apply to fintechs dealing with cross-border payment services. They also have a high risk of using them as a means to commit a crime.
Examples of such requirements can be found in Act of 1 March 2018 on counteracting money laundering and terrorism financing (consolidated text: Journal of Laws of 2023, item 1124, as amended). It implements the provisions of Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ EU. L. of 2015, No. 141, p. 73, as amended). Both acts are commonly referred to as AML (Anti-Money Laundering).
It is worth noting at the outset that, in accordance with Article 10a of the Personal Data Protection Act, fintech is exempt from personal data protection obligations when it performs obligations related to counteracting money laundering.
In Article 2 of the AML Act, it defines a set of so-called obligated institutions, on which it imposes additional obligations. Among them is point 3 containing payment institutions and electronic money institutions and other payment service providers, i.e. the legal forms in which a fintech conducting payment services will have to appear.
The first obligation of obligated institutions is to apply financial security measures to their clients based on the risk of money laundering and terrorist financing determined by them. Their application must always be adequate to the level of risk. In the case of a low level of risk, the institution may apply simplified security measures, while in cases of higher risk, it applies enhanced measures. In addition, enhanced measures are also applied, among others, if the client has its registered office in a high-risk third country identified by the European Commission in a delegated act adopted under Article 9 of Directive 2015/849, in the case of cross-border correspondent relations with a respondent institution from a third country and in business relations with a politically exposed person. Detailed conditions for the application of security measures are contained in Article 35 of the AML Act.
In Article 34 et seq. of the AML Act, their types are listed:
In a situation where an institution cannot apply even one of the security measures, it is obliged not to establish business relations, not to conduct occasional transactions or through a bank account, and to terminate business relations if they were previously concluded.
There are also so-called special restrictive measures. These include freezing property values and not making property values available directly or indirectly to persons and entities. These measures are applied only to persons and entities indicated on:
Institutions must also have internal and group procedures for combating money laundering and terrorism financing. They are also required to train their employees in this area.
Obligated institutions also participate in determining the national assessment of money laundering and terrorism financing risk. It takes into account factors related to customers, countries or geographical areas from which they come, products, services, transactions or their delivery channels. Such an assessment is prepared at least once every 2 years.
Another important element of protection is the Central Register of Beneficial Owners. It is maintained using an IT system by the Ministry of Finance. The body competent in its matters is the body delegated by the Minister of Finance. Currently, it is the Director of the Fiscal Administration Chamber in Bydgoszcz.
Its main task is to counteract money laundering and financing Toryism by introducing control not only of the transactions themselves, but also of their actual beneficiaries. This reduces the possibility of a criminal hiding in corporate structures and makes it easier for the services to locate the criminal.
Art. 2 sec. 2 item 1 of the Act defines the beneficial owner as “exerting direct or indirect control over the client through the powers held, which result from legal or factual circumstances, enabling the exercise of decisive influence on the actions or activities undertaken by the client, or any natural person on whose behalf business relations are established or an occasional transaction is carried out”.
In the case of a legal person other than a company whose securities are admitted to trading on a regulated market subject to disclosure requirements under European Union law or equivalent third country law:
And in the case of a trust:
In the case of a natural person conducting business activity in respect of whom there are no grounds or circumstances that could indicate the fact of exercising control over him or her by another natural person or natural persons, it is assumed that such a natural person is also the beneficial owner.
The obligation to report information on beneficial owners applies to:
The notification must include identification data of the reporting entity and the beneficial owner. The register is public and anyone can have access to it and the presumption of consistency of the data in the register applies.
Another requirement that fintech will have to meet will be to provide information to the General Inspector of Financial Information about the accepted payment or the payment of funds equivalent to more than EUR 15,000 and about the transfer of funds equivalent to more than EUR 15,000. This obligation is intended to increase the control of financial transactions of greater value, which will be more often suspicious.
There is also a general requirement for the obligated institution to immediately notify the General Inspector of circumstances that may indicate a suspicion of money laundering or terrorism financing. The General Inspector may also request the necessary documents and information from the institution.
The institution subject to the obligation is obliged to immediately notify the General Inspector. The General Inspector, if it considers that the reported transactions may be related to money laundering or terrorism financing, may request that the transaction be suspended or the accounts blocked for a period not longer than 96 hours. Immediately upon receipt of this request, the institution subject to the obligation shall suspend the transaction or block the account. Similarly. The Inspector shall also notify the relevant prosecutor and the Head of the Internal Security Agency. The prosecutor may also, by decision, suspend the transaction or block the account for an indefinite period.
As it was shown, the AML Act and Directive create a coherent and efficient system for combating money laundering and terrorism financing. Fintech, wishing to handle cross-border payment transactions, will be required to be part of it. This means imposing many obligations on it, especially information obligations towards the General Inspector, but also with the authorization to take measures to counteract crimes. This is therefore not only a requirement, but also a great responsibility. All this to ensure greater security of trade and ordinary citizens.
An important element of cross-border payments is currency conversion. Banks usually require payments in the local currency. Therefore, to ensure smooth transactions, fintechs must be able to change the payment currency. However, the problem arises with the rates, which may differ from each other.
In the case of Polish law, this issue is regulated by Regulation (EC) No. 2021/1230 of the European Parliament and of the Council. Its purpose is to harmonize the regulations in the Member States and ensure transparency and uniform protection against fraud in cross-border payments. This regulation applies to payments dominated by euro and the national currencies of the EU Member States that have decided to extend the application of the regulation to their national currency.
First of all, the fees for cross-border payments must be equal to the fees for corresponding payments within a given Member State. This provision aims to unify the market and make cross-border payments more similar to domestic payments. This serves to increase market security.
In addition, the payment service provider must provide customers with:
This is to protect the customer. These requirements ensure that the customer is fully informed about the amount and any fees before making a transaction. There can be no situation where the customer finds out after the fact what the tariff is for a given fintech.
Customers who make and receive payments covered by the Regulation use their international payment account identification number (IBAN) and the business identifier code (BIC) of their payment service provider.
In many ways, fintech is the institution of the future. It allows financial services to be provided on the one hand by specialized entities on the other in an easy and accessible way. Many people use their services to better organize their business activities. They have become a key element of the modern world.
Although one of the advantages of fintechs is their informality compared to banks, there are still requirements and rules that they must meet in order to function. Fintechs, especially those handling cross-border payments, operate in a very sensitive part of the market. They handle huge transactions and many customers every day. That is why it is so important for fintechs to ensure the highest possible quality of their transactions. The purpose of these requirements is to protect the interests of their customers and the security and stability of the market.
The requirements and rules for fintech will have their source in various acts. They will not be limited to one area, but will operate on different levels so that the protection they are to provide is as broad as possible. Depending on the law, they can also be very specific or general.
One of the more basic requirements will be the principles of consumer protection. It may seem strange that we will refer to them in this case, but let’s not forget that this is the basis of civil transactions. We must ensure that fintech customers protect their interests and secure their rights. This is the basis on which we will create further requirements.
Of the detailed requirements, three acts should be focused on. The first one will be the act on payment services. The regulations contained in it will serve to control and not the best handling of financial transactions conducted by fintechs. They contain procedures for conducting such services and requirements that a fintech must meet in order to be authorized by the state to conduct such transactions.
The second act worth noting is the EU regulation on the protection of personal data, known as the GDPR. In the case of fintechs, the directive is of great importance because the most sensitive data, such as the Personal Identification number, address or account number, pass through them. They can be used to extort money, impersonate other people or steal funds from bank accounts. It is no wonder that banks and fintechs are most often the victims of hacker attacks. This is why personal data protection is so important to them.
Another issue is the anti-money laundering regulations. They are included in the EU directive known as AML and the Polish act that is its implementation. This is to ensure the protection of payment transactions from being used for criminal purposes. Fintech had a number of control obligations regarding the transactions it handled.
The last regulations to keep in mind when examining this issue are the regulations regarding currency conversion.